Patch release notes 2009a
Release notes for Vyatta NOS 2009a, released October 26, 2020.
Issues resolved
Issues resolved in release 2009a.
| Issue number | Priority | Summary |
|---|---|---|
| VRVDR-53138 | Blocker | IPsec RA-VPN Client and Server regression broken on latest Halifax regression builds |
| VRVDR-52918 | Blocker | 1912f - Hardware CPP not conforming to limiter rates |
| VRVDR-52906 | Blocker | QoS - Bandwidth Must match <<number><suffix>> |
| VRVDR-47760 | Blocker | J2: QoS - Increase configuration limits for 100G for hardware platforms |
| VRVDR-53342 | Critical | uSDE-->Node showing error while checking show interfaces dataplane dp0s9 affinity Attach |
| VRVDR-53302 | Critical | Boundary Clock lost sync and is unable to re-acquire lock |
| VRVDR-53278 | Critical | Desired speed in VOQ setup can overflow int param |
| VRVDR-53102 | Critical | OSPFv2: prefer loopback address for use as forwarding address in NSSA LSAs |
| VRVDR-53065 | Critical | YANG tweaks to allow NCS to compile Vyatta YANG files |
| VRVDR-53014 | Critical | commit-confirm not working via vcli scripts |
| VRVDR-52995 | Critical | Grub update during image upgrade is broken |
| VRVDR-52994 | Critical | BFD: Show bfd session details shows incorrect stats |
| VRVDR-52993 | Critical | License enforcement for hardware other than UFI-SPACE is bringing down the dataports |
| VRVDR-52912 | Critical | service-user creation fails due to moved SSSD databases |
| VRVDR-52885 | Critical | The dataplane interfaces are down when configuring the cpu-affinity |
| VRVDR-52855 | Critical | Creating service users fails |
| VRVDR-52850 | Critical | Egress ACL in s/w path will not match router originated traffic |
| VRVDR-52841 | Critical | S9500-30XS: Receiving only 10Gig traffic going over 25Gig links |
| VRVDR-52740 | Critical | show interfaces affinity and show interfaces identify returns error Error: Unknown RPC |
| VRVDR-52451 | Critical | bgpd process crashed when performing snmpwalk with BGP configuration |
| VRVDR-52401 | Critical | Degradation of throughput by 10%-40% on v150 with 100M physical interface and QOS |
| VRVDR-52383 | Critical | PTP: Internal errors causing PTP stack not to be created |
| VRVDR-51749 | Critical | DHCPv6 address not getting renewed automatically on client node after DHCP server rebooted and only works when deleted/reconfigured DHCPv6 config was added on the client node. It works fine for DHCPv4. |
| VRVDR-51678 | Critical | PTP: Slave clock sees significant time-error when GPS signal fails on SIAD, when it switches to PTP |
| VRVDR-51256 | Critical | ACM VCI component does not seem to work correctly with only default values |
| VRVDR-43307 | Critical | vyatta-ike-sa-daemon: TypeError: 'IKEConfig' object does not support indexing |
| VRVDR-53314 | Major | dhcp-client overlap-subnet script fails on DANOS due to missing vrfmanager Python module |
| VRVDR-53275 | Major | Flexware: Update platform detection for new large boxes based on latest production boxes |
| VRVDR-53244 | Major | Barcelona board should be made generic |
| VRVDR-53199 | Major | Configuring unreachable static route causes a zebra and dataplane restart |
| VRVDR-53191 | Major | IPsec commands do not work unless acm rules for rpc-default and notification-default are configured |
| VRVDR-53062 | Major | Missing logs for enforcement action taken for licensing |
| VRVDR-53061 | Major | Allow ACL rulesets to set an address-family flag in the group structure |
| VRVDR-53022 | Major | [ext]community-list and access-list translation issues in DANOS |
| VRVDR-52997 | Major | tacplusd get_tty_login_addr() may overflow buffer |
| VRVDR-52910 | Major | service-users LDAP password and local encrypted-password values not redacted in audit logs or TACACS+ authorization requests |
| VRVDR-52909 | Major | RIP MD5 passwords not redacted in audit logs or TACACS+ authorization requests |
| VRVDR-52851 | Major | FAL Broadcom plugin needs to be tuned to optimize to 100G QoS performance |
| VRVDR-52843 | Major | Output of static entries in ARP table has changed |
| VRVDR-52739 | Major | Port value in tunnel policy without specifying protocol causes error protocol must be formatted as well-known string. for the IPsec show commands |
| VRVDR-52677 | Major | When multiple peers use the same local-address, no authentication ids, and unique pre-shared-keys IKEv2 based IPsec stuck in 'init' for all but one peer |
| VRVDR-52611 | Major | i40e driver silently drops multicast packets causing VRRP dual master |
| VRVDR-52468 | Major | Neg Rx value not updated if requested value cannot be used |
| VRVDR-52404 | Major | ICMP error returned with corrupted inner header causes seg-fault when passed through a FW/NAT44/PBR rule with logging enabled |
| VRVDR-52188 | Major | start virt guest XYZ does not report errors |
| VRVDR-51332 | Major | PTP: Unable to cope with config change where master and slave swap ds-ports (slave does not come up) |
| VRVDR-52825 | Minor | Configuring three sub-levels of time-zone is not possible, causing upgrade from earlier version to fail |
| VRVDR-52546 | Minor | GUI hangs/loading and finally timeout with an error message on browser |
Security vulnerabilities resolved
Security vulnerabilities resolved in release 2009a.
| Issue number | CVSS | Advisory | Summary |
|---|---|---|---|
| VRVDR-52921 | 7.9 | DSA-4760-1 | CVE-2020-12829, CVE-2020-14364, CVE-2020-15863, CVE-2020-16092: Debian DSA-4760-1: qemu security update |
| VRVDR-53283 | 7.8 | DSA-4769-1 | CVE-2020-25595, CVE-2020-25596, CVE-2020-25597, CVE-2020-25599, CVE-2020-25600, CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604: Debian DSA-4769-1: xen security update |
| VRVDR-53273 | 7.8 | DLA-2385-1 | CVE-2019-3874, CVE-2019-19448, CVE-2019-19813, CVE-2019-19816, CVE-2020-10781, CVE-2020-12888, CVE-2020-14314, CVE-2020-14331, CVE-2020-14356, CVE-2020-14385, CVE-2020-14386, CVE-2020-14390, CVE-2020-16166, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25641, CVE-2020-26088: Debian DLA-2385-1: linux-4.19 LTS security update |